Draft National Health Data Management Policy

Prime Minister on the 74th Independence Day launched the National Digital Health Mission (NDHM) under which a digital health ID would be created for all Indians. The Draft National Health Data Management Policy is the maiden step in realizing NDHM’s guiding principle of individual’s security and privacy.

Content:

 In news:

• The National Health Authority (NHA) has released the Draft Health Data Management Policy of the NDHM in the public domain.
• NHA is the apex agency of the Government of India responsible for the design, roll- out, implementation and management of Ayushman Bharat-PM-JAY and NDHM across the country.
• The objectives of the draft Policy includes creation of a framework for secure processing of personal and sensitive personal data of individuals who are a part of the NDHM.
• It is in compliance with all applicable laws and international standards such as ISO/TS 17975:2015 that defines the set of frameworks of consent for the collection and processing of health data by healthcare practitioners and other entities
• It encompasses various aspects pertaining to health data like data privacy, consent management, data sharing & protection.

Provisions:

• All health records of an individual would be stacked at one place thus not restricting the health records of a person to just the health facility where they undergo treatment.
• The policy permits hospitals, diagnostic centres and other entities, known as data fiduciaries, to collect personal or sensitive personal data as specified in the policy.
• Sensitive personal data include a person’s physical, physiological, and mental health data, financial information, sex life, sexual orientation, medical records and history, biometric data, and genetic data.
• Other information which can be collected under this head include transgender status, intersex status, caste or tribe, and religious or political belief or affiliation.
• Those who opt to avail the health ID card, (referred to as data principals in the document) are given complete control and decision-making power over how their personal data is collected and processed.
• Any personal data or sensitive personal data can be collected only after the consent of the individual.
• Individuals also have the right to revoke the consent or restrict sharing of any personal data at any time.
• Any personal or sensitive data which is not essential for this purpose shall not be processed for creating the ID.
• Privacy notes should be shared with individuals not only while enrolment, but also when it is modified and also before further processing for any previously unidentified purpose.
• Before engaging with any data processor, fiduciary must enter into a contract.
• The data fiduciary will also have confidentiality agreements and non-disclosure agreements.
• Regular audits by independent auditors approved by the Central Government should be carried out at least once every year to ensure compliance.
• Any data processed under this policy should not be made public – if it is being used for clinical or academic research, statistical analysis, policy formulation, etc., the data must be anonymized or de-identified in an aggregated form.
• Those institutions with access to the data under NDHM must have a designated Data Protection Officer (DPO) so that individuals who have queries must be able to approach the DPO.
• The data fiduciaries should formulate and implement a ‘personal data breach management mechanism’ to make sure that any instances of violation or non-compliance get promptly reported to the NHA and other relevant entities.
• NHA should formulate and implement procedures to ‘identify, track, review and investigate’ such incidents and maintain a record of these instances along with the action taken.
• In case of any incident of data breach, the person responsible for it will be liable in accordance with the provisions of applicable law.

Importance:

• The confidential health data will be collected from individuals across the country and stored at multiple levels- Central, State/Union Territory, and at the health facility level and hence electronic health records of individuals can now be accessed from anywhere in the country digitally. 
• It increases awareness of the importance of data privacy.
• It instills a privacy-oriented mindset among all the stakeholders and participants of the ecosystem.
• It could be an important step towards achieving the United Nations’ SDG of Universal Health Coverage by covering financial risk protection, increasing access to quality essential healthcare services, medicines and vaccines for all.

Criticisms:

• It is criticized as its concern is more about data than about health.
• This could lead towards greater privatization of health care.
• The Internet Freedom Foundation has also filed a petition in the Delhi High Court on the draft policy.
• There are concerns about the implementation and data privacy aspects.
• The information might be vulnerable to attack and misuse.